commit 1ce7180d601787f070986d1e3d199330de6492ff · pyrox.dev/nixpkgs

+52 -11

nixos/modules/services/networking/wg-quick.nix

···

       11
       11
        
         interfaceOpts = { ... }: {

     

       12
       12
        
           options = {

     

       13
       13
        
       

     

       14
       14
       +
             type = mkOption {

     

       15
       15
       +
               example = "amneziawg";

     

       16
       16
       +
               default = "wireguard";

     

       17
       17
       +
               type = types.enum ["wireguard" "amneziawg"];

     

       18
       18
       +
               description = ''

     

       19
       19
       +
                 The type of the interface. Currently only "wireguard" and "amneziawg" are supported.

     

       20
       20
       +
               '';

     

       21
       21
       +
             };

     

       22
       22
       +
       

     

       14
       23
        
             configFile = mkOption {

     

       15
       24
        
               example = "/secret/wg0.conf";

     

       16
       25
        
               default = null;

     
···

       151
       160
        
               description = "Peers linked to the interface.";

     

       152
       161
        
               type = with types; listOf (submodule peerOpts);

     

       153
       162
        
             };

     

       163
       163
       +
       

     

       164
       164
       +
             extraOptions = mkOption {

     

       165
       165
       +
               type = with types; attrsOf (oneOf [ str int ]);

     

       166
       166
       +
               default = { };

     

       167
       167
       +
               example = {

     

       168
       168
       +
                 Jc = 5;

     

       169
       169
       +
                 Jmin = 10;

     

       170
       170
       +
                 Jmax = 42;

     

       171
       171
       +
                 S1 = 60;

     

       172
       172
       +
                 S2 = 90;

     

       173
       173
       +
                 H4 = 12345;

     

       174
       174
       +
               };

     

       175
       175
       +
               description = ''

     

       176
       176
       +
                 Extra options to append to the interface section. Can be used to define AmneziaWG-specific options.

     

       177
       177
       +
               '';

     

       178
       178
       +
             };

     

       154
       179
        
           };

     

       155
       180
        
         };

     

       156
       181
        
       

     
···

       227
       252
        
       

     

       228
       253
        
         writeScriptFile = name: text: ((pkgs.writeShellScriptBin name text) + "/bin/${name}");

     

       229
       254
        
       

     

       230
       230
       -
         generatePrivateKeyScript = privateKeyFile: ''

     

       255
       255
       +
         generatePrivateKeyScript = privateKeyFile: wgBin: ''

     

       231
       256
        
           set -e

     

       232
       257
        
       

     

       233
       258
        
           # If the parent dir does not already exist, create it.

     
···

       236
       261
        
       

     

       237
       262
        
           if [ ! -f "${privateKeyFile}" ]; then

     

       238
       263
        
             # Write private key file with atomically-correct permissions.

     

       239
       239
       -
             (set -e; umask 077; wg genkey > "${privateKeyFile}")

     

       264
       264
       +
             (set -e; umask 077; ${wgBin} genkey > "${privateKeyFile}")

     

       240
       265
        
           fi

     

       241
       266
        
         '';

     

       242
       267
        
       

     
···

       244
       269
        
           assert assertMsg (values.configFile != null || ((values.privateKey != null) != (values.privateKeyFile != null))) "Only one of privateKey, configFile or privateKeyFile may be set";

     

       245
       270
        
           assert assertMsg (values.generatePrivateKeyFile == false || values.privateKeyFile != null) "generatePrivateKeyFile requires privateKeyFile to be set";

     

       246
       271
        
           let

     

       247
       247
       -
             generateKeyScriptFile = if values.generatePrivateKeyFile then writeScriptFile "generatePrivateKey.sh" (generatePrivateKeyScript values.privateKeyFile) else null;

     

       272
       272
       +
             wgBin = {

     

       273
       273
       +
               wireguard = "wg";

     

       274
       274
       +
               amneziawg = "awg";

     

       275
       275
       +
             }.${values.type};

     

       276
       276
       +
             generateKeyScriptFile =

     

       277
       277
       +
               if values.generatePrivateKeyFile then

     

       278
       278
       +
                 writeScriptFile "generatePrivateKey.sh" (generatePrivateKeyScript values.privateKeyFile wgBin)

     

       279
       279
       +
               else

     

       280
       280
       +
                 null;

     

       248
       281
        
             preUpFile = if values.preUp != "" then writeScriptFile "preUp.sh" values.preUp else null;

     

       249
       282
        
             postUp =

     

       250
       250
       -
                   optional (values.privateKeyFile != null) "wg set ${name} private-key <(cat ${values.privateKeyFile})" ++

     

       251
       251
       -
                   (concatMap (peer: optional (peer.presharedKeyFile != null) "wg set ${name} peer ${peer.publicKey} preshared-key <(cat ${peer.presharedKeyFile})") values.peers) ++

     

       283
       283
       +
                   optional (values.privateKeyFile != null) "${wgBin} set ${name} private-key <(cat ${values.privateKeyFile})" ++

     

       284
       284
       +
                   (concatMap (peer: optional (peer.presharedKeyFile != null) "${wgBin} set ${name} peer ${peer.publicKey} preshared-key <(cat ${peer.presharedKeyFile})") values.peers) ++

     

       252
       285
        
                   optional (values.postUp != "") values.postUp;

     

       253
       286
        
             postUpFile = if postUp != [] then writeScriptFile "postUp.sh" (concatMapStringsSep "\n" (line: line) postUp) else null;

     

       254
       287
        
             preDownFile = if values.preDown != "" then writeScriptFile "preDown.sh" values.preDown else null;

     
···

       276
       309
        
               optionalString (postUpFile != null) "PostUp = ${postUpFile}\n" +

     

       277
       310
        
               optionalString (preDownFile != null) "PreDown = ${preDownFile}\n" +

     

       278
       311
        
               optionalString (postDownFile != null) "PostDown = ${postDownFile}\n" +

     

       312
       312
       +
               concatLines (mapAttrsToList (n: v: "${n} = ${toString v}") values.extraOptions) +

     

       279
       313
        
               concatMapStringsSep "\n" (peer:

     

       280
       314
        
                 assert assertMsg (!((peer.presharedKeyFile != null) && (peer.presharedKey != null))) "Only one of presharedKey or presharedKeyFile may be set";

     

       281
       315
        
                 "[Peer]\n" +

     
···

       301
       335
        
               wantedBy = optional values.autostart "multi-user.target";

     

       302
       336
        
               environment.DEVICE = name;

     

       303
       337
        
               path = [

     

       304
       304
       -
                 pkgs.wireguard-tools

     

       338
       338
       +
                 {

     

       339
       339
       +
                   wireguard = pkgs.wireguard-tools;

     

       340
       340
       +
                   amneziawg = pkgs.amneziawg-tools;

     

       341
       341
       +
                 }.${values.type}

     

       305
       342
        
                 config.networking.firewall.package   # iptables or nftables

     

       306
       343
        
                 config.networking.resolvconf.package # openresolv or systemd

     

       307
       344
        
               ];

     
···

       312
       349
        
               };

     

       313
       350
        
       

     

       314
       351
        
               script = ''

     

       315
       315
       -
                 ${optionalString (!config.boot.isContainer) "${pkgs.kmod}/bin/modprobe wireguard"}

     

       352
       352
       +
                 ${optionalString (!config.boot.isContainer) "${pkgs.kmod}/bin/modprobe ${values.type}"}

     

       316
       353
        
                 ${optionalString (values.configFile != null) ''

     

       317
       354
        
                   cp ${values.configFile} ${configPath}

     

       318
       355
        
                 ''}

     

       319
       319
       -
                 wg-quick up ${configPath}

     

       356
       356
       +
                 ${wgBin}-quick up ${configPath}

     

       320
       357
        
               '';

     

       321
       358
        
       

     

       322
       359
        
               serviceConfig = {

     
···

       325
       362
        
               };

     

       326
       363
        
       

     

       327
       364
        
               preStop = ''

     

       328
       328
       -
                 wg-quick down ${configPath}

     

       365
       365
       +
                 ${wgBin}-quick down ${configPath}

     

       329
       366
        
               '';

     

       330
       367
        
             };

     

       331
       368
        
       in {

     
···

       357
       394
        
         ###### implementation

     

       358
       395
        
       

     

       359
       396
        
         config = mkIf (cfg.interfaces != {}) {

     

       360
       360
       -
           boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard;

     

       361
       361
       -
           environment.systemPackages = [ pkgs.wireguard-tools ];

     

       397
       397
       +
           boot.extraModulePackages =

     

       398
       398
       +
             optional (any (x: x.type == "wireguard") (attrValues cfg.interfaces) && (versionOlder kernel.kernel.version "5.6")) kernel.wireguard

     

       399
       399
       +
             ++ optional (any (x: x.type == "amneziawg") (attrValues cfg.interfaces)) kernel.amneziawg;

     

       400
       400
       +
           environment.systemPackages =

     

       401
       401
       +
             optional (any (x: x.type == "wireguard") (attrValues cfg.interfaces)) pkgs.wireguard-tools

     

       402
       402
       +
             ++ optional (any (x: x.type == "amneziawg") (attrValues cfg.interfaces)) pkgs.amneziawg-tools;

     

       362
       403
        
           systemd.services = mapAttrs' generateUnit cfg.interfaces;

     

       363
       404
        
       

     

       364
       405
        
           # Prevent networkd from clearing the rules set by wg-quick when restarted (e.g. when waking up from suspend).

+125

nixos/tests/wireguard/amneziawg-quick.nix

···

       1
       1
       +
       import ../make-test-python.nix (

     

       2
       2
       +
         {

     

       3
       3
       +
           pkgs,

     

       4
       4
       +
           lib,

     

       5
       5
       +
           kernelPackages ? null,

     

       6
       6
       +
           nftables ? false,

     

       7
       7
       +
           ...

     

       8
       8
       +
         }:

     

       9
       9
       +
         let

     

       10
       10
       +
           wg-snakeoil-keys = import ./snakeoil-keys.nix;

     

       11
       11
       +
           peer = import ./make-peer.nix { inherit lib; };

     

       12
       12
       +
           commonConfig = {

     

       13
       13
       +
             boot.kernelPackages = lib.mkIf (kernelPackages != null) kernelPackages;

     

       14
       14
       +
             networking.nftables.enable = nftables;

     

       15
       15
       +
             # Make sure iptables doesn't work with nftables enabled

     

       16
       16
       +
             boot.blacklistedKernelModules = lib.mkIf nftables [ "nft_compat" ];

     

       17
       17
       +
           };

     

       18
       18
       +
           extraOptions = {

     

       19
       19
       +
             Jc = 5;

     

       20
       20
       +
             Jmin = 10;

     

       21
       21
       +
             Jmax = 42;

     

       22
       22
       +
             S1 = 60;

     

       23
       23
       +
             S2 = 90;

     

       24
       24
       +
           };

     

       25
       25
       +
         in

     

       26
       26
       +
         {

     

       27
       27
       +
           name = "amneziawg-quick";

     

       28
       28
       +
           meta = with pkgs.lib.maintainers; {

     

       29
       29
       +
             maintainers = [

     

       30
       30
       +
               averyanalex

     

       31
       31
       +
               azahi

     

       32
       32
       +
             ];

     

       33
       33
       +
           };

     

       34
       34
       +
       

     

       35
       35
       +
           nodes = {

     

       36
       36
       +
             peer0 = peer {

     

       37
       37
       +
               ip4 = "192.168.0.1";

     

       38
       38
       +
               ip6 = "fd00::1";

     

       39
       39
       +
               extraConfig = lib.mkMerge [

     

       40
       40
       +
                 commonConfig

     

       41
       41
       +
                 {

     

       42
       42
       +
                   networking.firewall.allowedUDPPorts = [ 23542 ];

     

       43
       43
       +
                   networking.wg-quick.interfaces.wg0 = {

     

       44
       44
       +
                     type = "amneziawg";

     

       45
       45
       +
       

     

       46
       46
       +
                     address = [

     

       47
       47
       +
                       "10.23.42.1/32"

     

       48
       48
       +
                       "fc00::1/128"

     

       49
       49
       +
                     ];

     

       50
       50
       +
                     listenPort = 23542;

     

       51
       51
       +
       

     

       52
       52
       +
                     inherit (wg-snakeoil-keys.peer0) privateKey;

     

       53
       53
       +
       

     

       54
       54
       +
                     peers = lib.singleton {

     

       55
       55
       +
                       allowedIPs = [

     

       56
       56
       +
                         "10.23.42.2/32"

     

       57
       57
       +
                         "fc00::2/128"

     

       58
       58
       +
                       ];

     

       59
       59
       +
       

     

       60
       60
       +
                       inherit (wg-snakeoil-keys.peer1) publicKey;

     

       61
       61
       +
                     };

     

       62
       62
       +
       

     

       63
       63
       +
                     dns = [

     

       64
       64
       +
                       "10.23.42.2"

     

       65
       65
       +
                       "fc00::2"

     

       66
       66
       +
                       "wg0"

     

       67
       67
       +
                     ];

     

       68
       68
       +
       

     

       69
       69
       +
                     inherit extraOptions;

     

       70
       70
       +
                   };

     

       71
       71
       +
                 }

     

       72
       72
       +
               ];

     

       73
       73
       +
             };

     

       74
       74
       +
       

     

       75
       75
       +
             peer1 = peer {

     

       76
       76
       +
               ip4 = "192.168.0.2";

     

       77
       77
       +
               ip6 = "fd00::2";

     

       78
       78
       +
               extraConfig = lib.mkMerge [

     

       79
       79
       +
                 commonConfig

     

       80
       80
       +
                 {

     

       81
       81
       +
                   networking.useNetworkd = true;

     

       82
       82
       +
                   networking.wg-quick.interfaces.wg0 = {

     

       83
       83
       +
                     type = "amneziawg";

     

       84
       84
       +
       

     

       85
       85
       +
                     address = [

     

       86
       86
       +
                       "10.23.42.2/32"

     

       87
       87
       +
                       "fc00::2/128"

     

       88
       88
       +
                     ];

     

       89
       89
       +
                     inherit (wg-snakeoil-keys.peer1) privateKey;

     

       90
       90
       +
       

     

       91
       91
       +
                     peers = lib.singleton {

     

       92
       92
       +
                       allowedIPs = [

     

       93
       93
       +
                         "0.0.0.0/0"

     

       94
       94
       +
                         "::/0"

     

       95
       95
       +
                       ];

     

       96
       96
       +
                       endpoint = "192.168.0.1:23542";

     

       97
       97
       +
                       persistentKeepalive = 25;

     

       98
       98
       +
       

     

       99
       99
       +
                       inherit (wg-snakeoil-keys.peer0) publicKey;

     

       100
       100
       +
                     };

     

       101
       101
       +
       

     

       102
       102
       +
                     dns = [

     

       103
       103
       +
                       "10.23.42.1"

     

       104
       104
       +
                       "fc00::1"

     

       105
       105
       +
                       "wg0"

     

       106
       106
       +
                     ];

     

       107
       107
       +
       

     

       108
       108
       +
                     inherit extraOptions;

     

       109
       109
       +
                   };

     

       110
       110
       +
                 }

     

       111
       111
       +
               ];

     

       112
       112
       +
             };

     

       113
       113
       +
           };

     

       114
       114
       +
       

     

       115
       115
       +
           testScript = ''

     

       116
       116
       +
             start_all()

     

       117
       117
       +
       

     

       118
       118
       +
             peer0.wait_for_unit("wg-quick-wg0.service")

     

       119
       119
       +
             peer1.wait_for_unit("wg-quick-wg0.service")

     

       120
       120
       +
       

     

       121
       121
       +
             peer1.succeed("ping -c5 fc00::1")

     

       122
       122
       +
             peer1.succeed("ping -c5 10.23.42.1")

     

       123
       123
       +
           '';

     

       124
       124
       +
         }

     

       125
       125
       +
       )

nixos/tests/wireguard/default.nix

···

       14
       14
        
           networkd = callTest ./networkd.nix;

     

       15
       15
        
           wg-quick = callTest ./wg-quick.nix;

     

       16
       16
        
           wg-quick-nftables = args: callTest ./wg-quick.nix ({ nftables = true; } // args);

     

       17
       17
       +
           amneziawg-quick = callTest ./amneziawg-quick.nix;

     

       17
       18
        
           generated = callTest ./generated.nix;

     

       18
       19
        
           dynamic-refresh = callTest ./dynamic-refresh.nix;

     

       19
       20
        
           dynamic-refresh-networkd = args: callTest ./dynamic-refresh.nix ({ useNetworkd = true; } // args);